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1 This action is in response to the communication filed on 1/19/2007. 

2 Response to Arguments 

3 In view of the Appeal Brief filed on 1/19/2007, PROSECUTION IS HEREBY 

4 REOPENED, New grounds of rejection are set forth below. 

5 To avoid abandonment of the application, appellant must exercise one of the following 

6 two options: 

7 (1) file a reply under 37 CFR 1 . 1 1 1 (if this Office action is non-final) or a reply under 37 

8 CFR 1.113 (if this Office action is fmal); or, 

9 (2) initiate a new appeal by filing a notice of appeal under 37 CFR 41.31 followed by an 

1 0 appeal brief under 37 CFR 41.37. The previously paid notice of appeal fee and appeal brief fee 

1 1 can be applied to the new appeal. If, however, the appeal fees set forth in 37 CFR 41.20 have 

1 2 been increased since they were previously paid, then appellant must pay the difference between 

13 the increased fees and the amount previously paid. 

14 A Supervisory Patent Examiner (SPE) has approved of reopening prosecution by signing 

15 below: 



16 




SUPERVISORY MTENT EXAIMINER 
TECHNOLOGY CENTER 2100 
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1 DETAILED ACTION 

2 Response to Arguments 

3 

4 Applicant's arguments, see the Appeal Brief, filed 1/19/2007, with respect to the 

5 rejection(s) of claim(s) 1-32 have been fully considered and are persuasive. Therefore, the 

6 rejection has been withdrawn. However, upon fiirther consideration, a new ground(s) of 

7 rejection is made in view of WO 99/56194. 

8 All objections and rejections not set forth below have been withdrawn. 

9 Claims 1-32 have been examined. 

1 0 Claim Rejections - 35 USC §101 

12 35 U.S.C. 101 reads as follows: 

1 3 Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or 

1 4 any new and useflil improvement thereof, may obtain a patent therefor, subject to the conditions and 

1 5 requirements of this title. 

16 

1 7 The claims are directed to a "computer program product in computer readable media." 

1 8 Appellant's specification, paragraph 2 of the detailed description, provides intrinsic evidence that 

19 Appellant intends for such computer readable media to include "transmission media." In the 

20 event that such "transmission media" are intended to be limited to the hardware and software 

21 necessary to transmit, transport, receive and process the computer program product in such a 

22 manner as to enable the computer program product to act as a computer component and realize 

23 its functionality, it is believed that the claims in question would be directed to patent-eligible 

24 subject matter (statutory). However, no such evidence that the embodiment covered by the 

25 claims in question which is directed to the "transmission media" is limited to inclusion of such 
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1 hardware and software elements exists. Therefore, it is believed that the "transmission media" 

2 would reasonably be interpreted by one of ordinary skill as the abstract idea of any portion of a 

3 communication, including the forms of energy, per se, used in communications. Absent 

4 recitation of the hardware, the claims appear devoid of any physical articles or objects which 

5 may cooperate to achieve some function, and as such are not directed to a machine. Likewise, 

6 absent any such physical article or object, they cannot be directed to a manufacture. They are 

7 clearly not a series of steps or acts themselves, and as such are not a process. They are clearly 

8 not a composition of matter. Therefore, the claims in question do not appear to fall within a 

9 statutory category of inventiofa as set forth in 35 USC 101 . 
10 

1 1 Claim Rejections - 35 USC §103 

12 The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 

13 obviousness rejections set forth in this Office action: 

14 A patent may not he obtained though the invention is not identically disclosed or 

1 5 described as set forth in section 102 of this title, if the differences between the subject matter 

1 6 sought to be patented and the prior art are such that the subject matter as a whole would have 

1 7 been obvious at the time the invention was made to a person having ordinary skill in the art to 

1 8 which said subject matter pertains. Patentability shall not be negatived by the manner in which 

1 9 the invention was made. 
20 

21 Claims 1-3, 5, 7-11, 14-15, and 26-32 are rejected under 35 U.S.C. 103(a) as being 

22 unpatentable over Bartolomeos et al. (WO 99/56194) hereinafter referred to as Bartolomeos, and 

23 further in view of Kaliski, JR. (Patent Application Publication 2001/0055388) hereinafter 

24 referred to as Kaliski. 
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1 Regarding claim 1, Bartolomeos disclosed a method for a middle-tier server (See 

2 Bartolomeos Fig. 1 Server 120(1)) to impersonate a client (See Bartolomeos Element 1 10(1)) to a 

3 plurality of servers (See Bartolomeos Servers 120(2)-120(M)), the method comprising: 

4 providing a request for authentication data to the client (See Bartolomeos Page 13 Lines 9-11); . 

5 receiving the authentication data at the middle-tier server (See Bartolomeos Page 13 Lines 9-1 1); 

6 and providing authentication data to the plurality of servers to authenticate the client to the 

7 plurality of servers (See Bartolomeos Page 13 Line 24 - Page 14 Line 6), but Bartolomeos failed 

8 to disclose that the authentication data was a common nonce associated with the plurality of 

9 servers, or that the common nonce was signed by the client prior to being used to authenticate the 

10 client. However, Bartolomeos did suggest that any type of authentication could have been used, 

1 1 and that the disclosed username and password were simply one embodiment (See Bartolomeos 

12 Page 1 1 Lines 6-1 1), and Bartolomeos did disclose only server 120(1) contacting the client to 

13 request the client's authentication data (See Bartolomeos Page 13 Lines 9-11). 

14 Kaliski teaches a method for a client to authenticate itself to multiple servers by signing a 

1 5 message with the clients private key, the message containing a nonce from each of the servers, 

1 6 and the private key being of a public/private key pair. Kaliski fiarther teaches that the signed 

17 message is returned to server, wherein the client is authenticated if the server verifies the 

1 8 signature of the message, as well as verifying that the message contains its corresponding nonce 

1 9 (See Kaliski Paragraph 0069 and 0083-0086, particularly 0085). 

20 It would have been obvious to the ordinary person skilled in the art at the time of 

21 invention to employ the teachings of Kaliski in the client authentication system of Bartolomeos 

22 by having each server provide a nonce for the client, having the client sign a message containing 
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1 the nonces, having the cHent return the signed message to server 120(1), authenticating the cUent 

2 using the message, and if authenticated, providing the signed message to each of servers 120(2)- 

3 120(M) which then use the signed message to authenticate the client. This would have been 

4 obvious because the ordinary person skilled in the art would have been motivated to provide a. 

5 more secure authentication than User ID and Password, and further would have been motivated 

6 to ensure that the authentication data is fresh and not a replay of previous authentication data. 

7 In this combination, it further would have been obvious to the ordinary person skilled in 

8 the art at the time of invention for Server 120(1) to have collected the nonces from Servers 

9 120(2)-120(M) and provided them to the client in a single message as a challenge to the cUent. 

10 This would have been obvious because Bartolomeos disclosed only server 120(1) requesting 

1 1 authentication data from the client, and fiirthermore Bartolomeos is concerned with eliminating 

12 repetitive, tedious and burdensome tasks, and one of ordinary skill in the art would have 

13 recognized that sending an individual nonce message for each of the M servers would have been 

14 repetitive, tedious, and burdensome. Furthermore, sending one message containing all the 

15 nonces to the client would have been obvious because the ordinary person skilled in the art 

16 would have been motivated to eliminate unnecessary traffic through network 110. 

17 Regarding claim 26, Bartolomeos disclosed a system for a middle-tier server (See 

1 8 Bartolomeos Fig. 1 Server 120(1)) to impersonate a client (See Bartolomeos Element 1 10(1)) to a 

19 plurality of servers (See Bartolomeos Servers 120(2)-120(M)), comprising: means for providing 

20 a request for authentication data to the cUent (See Bartolomeos Page 13 Lines 9-11); means for 

21 receiving the authentication data at the middle-tier server (See Bartolomeos Page 13 Lines 9-11); 

22 and means for providing authentication data to the plurality of servers to authenticate the client 



Application/Control Number: 09/921,536 Page 7 

Art Unit: 2131 

1 to the plurality of servers (See Bartolomeos Page 13 Line 24 - Page 14 Line 6), but Bartolomeos 

2 failed to disclose that the authentication data was a common nonce associated with the plurality 

3 of servers, or that the common nonce was signed by the client prior to being used to authenticate 

4 the client. However, Bartolomeos did suggest that any type of authentication could have been 

5 used, and that the disclosed username and password were simply one embodiment (See 

6 Bartolomeos Page 1 1 Lines 6-11), and Bartolomeos did disclose only server 120(1) contacting 

7 the client to request the client's authentication data (See Bartolomeos Page 13 Lines 9-11). 

8 Kaliski teaches a method for a client to authenticate itself to multiple servers by signing a 

9 message with the clients private key, the message containing a nonce from each of the servers, 

10 and the private key being of a public/private key pair. Kaliski further teaches that the signed 

1 1 message is returned to server, wherein the client is authenticated if the server verifies the 

12 signature of the message, as well as verifying that the message contains its corresponding nonce 

1 3 (See Kaliski Paragraph 0069 and 0083-0086, particularly 0085). 

14 It would have been obvious to the ordinary person skilled in the art at the time of 

1 5 invention to employ the teachings of Kaliski in the client authentication system of Bartolomeos 

1 6 by having each server provide a nonce for the client, having the client sign a message containing 

17 the nonces, having the cUent return the signed message to server 120(1), authenticating the client 

18 using the message, and if authenticated, providing the signed message to each of servers 120(2)- 

19 120(M) which then use the signed message to authenticate the cUent. This would have been 

20 obvious because the ordinary person skilled in the art would have been motivated to provide a 

21 more secure authentication than User ID and Password, and further would have been motivated 

22 to ensure that the authentication data is fresh and not a replay of previous authentication data. 
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1 In this combination, it further would have been obvious to the ordinary person skilled in 

2 the art at the time of invention for Server 120(1) to have collected the nonces from Servers 

3 120(2)-120(M) and provided them to the client in a single message as a challenge to the client. 

4 This would have been obvious because Bartolomeos disclosed only server 120(1) requesting 

5 authentication data from the client, and furthermore Bartolomeos is concerned with eliminating 

6 repetitive, tedious and burdensome tasks, and one of ordinary skill in the art would have 

7 recognized that sending an individual nonce message for each of the M servers would have been 

8 repetitive, tedious, and burdensome. Furthermore, sending one message containing all the 

9 nonces to the client would have been obvious because the ordinary person skilled in the art 

1 0 would have been motivated to eliminate unnecessary traffic through network 110. 

1 1 Regarding claim 27, Bartolomeos a computer program product for a middle-tier server 

12 (See Bartolomeos Fig. 1 Server 120(1)) to impersonate a client (See Bartolomeos Element 

13 1 10(1)) to a plurality of servers (See Bartolomeos Servers 120(2)-120(M)), comprising: a 

14 computer readable media having computer readable program code embodied therein, the 

15 computer readable program code comprising: computer readable program code that provides a 

16 request for authentication data to the client (See Bartolomeos Page 13 Lines 9-11); computer 

17 readable program code that receives the authentication data at the middle-tier server (See 

18 Bartolomeos Page 13 Lines 9-1 1); and computer program readable code that provides 

1 9 authentication data to the plurality of servers to authenticate the client to the plurality of servers 

20 (See Bartolomeos Page 13 Line 24 - Page 14 Line 6), but Bartolomeos failed to disclose that the 

21 authentication data was a common nonce associated with the plurality of servers, or that the 

22 common nonce was signed by the client prior to being used to authenticate the client. However, 
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1 Bartolomeos did suggest that any type of authentication could have been used, and that the 

2 disclosed username and password were simply one embodiment (See Bartolomeos Page 1 1 Lines 

3 6-11), and Bartolomeos did disclose only server 120(1) contacting the client to request the 

4 client's authentication data (See Bartolomeos Page 13 Lines 9-1 1). 

5 Kaliski teaches a method for a client to authenticate itself to multiple servers by signing a 

6 message with the clients private key, the message containing a nonce from each of the servers, 

7 and the private key being of a public/private key pair. Kaliski further teaches that the signed 

8 message is returned to server, wherein the client is authenticated if the server verifies the 

9 signature of the message, as well as verifying that the message contains its corresponding nonce 

1 0 (See Kaliski Paragraph 0069 and 0083-0086, particularly 0085). 

1 1 It would have been obvious to the ordinary person skilled in the art at the time of 

12 invention to ernploy the teachings of Kaliski in the client authentication system of Bartolomeos 

13 by having each server provide a nonce for the client, having the client sign a message containing 

14 the nonces, having the client return the signed message to server 120(1), authenticating the chent 

15 using the message, and if authenticated, providing the signed message to each of servers 120(2)- 

1 6 120(M) which then use the signed message to authenticate the client. This would have been 

1 7 obvious because the ordinary person skilled in the art would have been motivated to provide a 

1 8 more secure authentication than User ID and Password, and further would have been motivated 

1 9 to ensure that the authentication data is fresh and not a replay of previous authentication data. 

20 In this combination, it further would have been obvious to the ordinary person skilled in 

21 the art at the time of invention for Server 120(1) to have collected the nonces from Servers 

22 120(2)-120(M) and provided them to the client in a single message as a challenge to the client. 
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1 This would have been obvious because Bartolomeos disclosed only server 120(1) requesting 

2 authentication data from the client, and furthermore Bartolomeos is concerned with eliminating 

3 repetitive, tedious and burdensome tasks, and one of ordinary skill in the art would have 

4 recognized that sending an individual nonce message for each of the M servers would have been 

5 repetitive, tedious, and burdensome. Furthermore, sending one message containing all the 

6 nonces to the client would have been obvious because the ordinary person skilled in the art 

7 would have been motivated to eliminate unnecessary traffic through network 1 10. 

8 Regarding claim 28, Bartolomeos disclosed a method of authenticating a client (See 

9 Bartolomeos Fig. 1 Element 100(1)), comprising: receiving at a server (See Bartolomeos Fig. 1 

10 Element 120(2)) of a plurality of servers (See Bartolomeos Fig, 1 Elements 120(2)-120(M)), 

1 1 authentication data that is provided to each of the plurality of servers (See Bartolomeos Page 14 

1 2 Lines 1-4) from an entity other than the client or the plurality of servers (See Bartolomeos Page 

13 14 Lines 1-4 server 120(1)), the authentication data being associated with each of the plurality of 

14 servers (See Bartolomeos Page 14 Lines 5-6 and Page 1 1 Lines 6-11); and authenticating the 

1 5 client based on the received authentication data (See Bartolomeos Page 14 Lines 5-6), but 

16 Bartolomeos failed to disclose that the authentication data was a common nonce associated with 

1 7 the plurality of servers, or that the common nonce was signed by the client prior to being used to 

1 8 authenticate the client. However, Bartolomeos did suggest that any type of authentication could 

1 9 have been used, and that the disclosed username and password were simply one embodiment 

20 (See Bartolomeos Page 1 1 Lines 6-1 1), and Bartolomeos did disclose only server 120(1) 

21 contacting the client to request the client's authentication data (See Bartolomeos Page 13 Lines 

22 9-11). 
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1 Kaliski teaches a method for a client to authenticate itself to multiple servers by signing a 

2 message with the clients private key, the message containing a nonce from each of the servers, 

3 and the private key being of a public/private key pair. Kaliski further teaches that the signed 

4 message is returned to server, wherein the cUent is authenticated if the server verifies the 

5 signature of the message, as well as verifying that the message contains its corresponding nonce 

6 (See KaUski Paragraph 0069 and 0083-0086, particularly 0085). 

7 It would have been obvious to the ordinary person skilled in the art at the time of 

8 invention to employ the teachings of Kaliski in the cUent authentication system of Bartolomeos 

9 by having each server provide a nonce for the cHent, having the cUent sign a message containing 

10 the nonces, having the client return the signed message to server 120(1), authenticating the client 

1 1 using the message, and if authenticated, providing the signed message to each of servers 120(2)- 

12 120(M) which then use the signed message to authenticate the cUent. This would have been 

13 obvious because the ordinary person skilled in the art would have been motivated to provide a 

14 more secure authentication than User ED and Password, and fiirther would have been motivated 

15 to ensure that the authentication data is fresh and not a replay of previous authentication data, 

1 6 In this combination, it further would have been obvious to the ordinary person skilled in 

17 the art at the time of invention for Server 120(1) to have collected the nonces from Servers 

18 120(2)-120(M) and provided them to the client in a single message as a challenge to the cUent. 

19 This would have been obvious because Bartolomeos disclosed only server 120(1) requesting 

20 authentication data from the client, and furthermore Bartolomeos is concerned with eliminating 

21 repetitive, tedious and burdensome tasks, and one of ordinary skill in the art would have 

22 recognized that sending an individual nonce message for each of the M servers would have been 
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1 repetitive, tedious, and burdensome. Furthermore, sending one message containing all the 

2 nonces to the client would have been obvious because the ordinary person skilled in the art 

3 would have been motivated to eliminate unnecessary traffic through network 110. 

4 Regarding claim 31, Bartolomeos disclosed a system for authenticating a client (See 

5 Bartolomeos Fig. 1 Element 100(1)), comprising: means for receiving at a server (See 

6 Bartolomeos Fig. 1 Element 120(2)) of a plurality of servers (See Bartolomeos Fig. 1 Elements 

7 120(2)-120(M)), authentication data that is provided to each of the plurality of servers (See 

8 Bartolomeos Page 14 Lines 1-4) from an entity other than the client or the plurality of servers 

9 (See Bartolomeos Page 14 Lines 1-4 server 120(1)), the authentication data being associated with 

10 each of the plurality of servers (See Bartolomeos Page 14 Lines 5-6 and Page 1 1 Lines 6-11); 

1 1 and means for authenticating the client based on the received authentication data (See 

12 Bartolomeos Page 14 Lines 5-6), but Bartolomeos failed to disclose that the authentication data 

1 3 was a common nonce associated with the plurality of servers, or that the common nonce was 

14 signed by the client prior to being used to authenticate the client. However, Bartolomeos did 

1 5 suggest that any type of authentication could have been used, and that the disclosed username 

16 and password were simply one embodiment (See Bartolomeos Page 1 1 Lines 6-11), and 

17 Bartolomeos did disclose only server 120(1) contacting the client to request the client's 

1 8 authentication data (See Bartolomeos Page 13 Lines 9-11). 

1 9 Kaliski teaches a method for a client to authenticate itself to multiple servers by signing a 

20 message with the clients private key, the message containing a nonce from each of the servers, 

21 and the private key being of a public/private key pair. Kaliski further teaches that the signed 

22 message is returned to server, wherein the client is authenticated if the server verifies the 



Application/Control Number: 09/921,536 Page 13 

Art Unit: 2131 

1 signature of the message, as well as verifying that the message contains its corresponding nonce 

2 (See KaHski Paragraph 0069 and 0083-0086, particularly 0085). 

3 It would have been obvious to the ordinary person skilled in the art at the time of 

4 invention to employ the teachings of Kaliski in the cUent authentication system of Bartolomeos 

5 by having each server provide a nonce for the chent, having the client sign a message containing 

6 the nonces, having the client return the signed message to server 120(1), authenticating the client 

7 using the message, and if authenticated, providing the signed message to each of servers 120(2)- 

8 120(M) which then use the signed message to authenticate the client. This would have been 

9 obvious because the ordinary person skilled in the art would have been motivated to provide a 

10 more secure authentication than User ED and Password, and further would have been motivated 

1 1 to ensure that the authentication data is fresh and not a replay of previous authentication data. 

1 2 In this combination, it further would have been obvious to the ordinary person skilled in 

13 the art at the time of invention for Server 120(1) to have collected the nonces from Servers 

14 120(2)-120(M) and provided them to the client in a single message as a challenge to the client. 

15 This would have been obvious because Bartolomeos disclosed only server 120(1) requesting 

16 authentication data from the client, and furthermore Bartolomeos is concerned with eliminating 

17 repetitive, tedious and burdensome tasks, and one of ordinary skill in the art would have 

1 8 recognized that sending an individual nonce message for each of the M servers would have been 

19 repetitive, tedious, and burdensome. Furthermore, sending one message containing all the 

20 nonces to the client would have been obvious because the ordinary person skilled in the art 

21 would have been motivated to eliminate unnecessary traffic through network 1 10. 
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1 Regarding claim 32, Bartolomeos disclosed a computer program product for 

2 authenticating a client (See Bartolomeos Fig. 1 Element 100(1)), comprising: a computer 

3 readable media having computer program code embodied therein, the computer readable 

4 program code comprising: computer readable program code which receives at a server (See 

5 Bartolomeos Fig. 1 Element 120(2)) of a plurality of servers (See Bartolomeos Fig. 1 Elements 

6 120(2)-120(M)), authentication data that is provided to each of the plurahty of servers (See 

7 Bartolomeos Page 14 Lines 1-4) from an entity other than the cUent or the plurality of servers 

8 (See Bartolomeos Page 14 Lines 1-4 server 120(1)), the authentication data being associated with 

9 each of the plurality of servers (See Bartolomeos Page 14 Lines 5-6 and Page 1 1 Lines 6-11); 

1 0 and computer readable program code which authenticates the client based on the received 

1 1 authentication data (See Bartolomeos Page 14 Lines 5-6), but Bartolomeos failed to disclose that 

1 2 the authentication data was a common nonce associated with the plurality of servers, or that the 

13 common nonce was signed by the client prior to being used to authenticate the client. However, 

14 Bartolomeos did suggest that any type of authentication could have been used, and that the 

1 5 disclosed username and password were simply one embodiment (See Bartolomeos Page 1 1 Lines 

16 6-11), and Bartolomeos did disclose only server 120(1) contacting the cUent to request the 

17 cUent's authentication data (See Bartolomeos Page 13 Lines 9-11). 

1 8 Kaliski teaches a method for a client to authenticate itself to multiple servers by signing a 

o 

19 message with the clients private key, the message containing a nonce from each of the servers, 

20 and the private key being of a public/private key pair. Kaliski further teaches that the signed 

21 message is returned to server, wherein the cUent is authenticated if the server verifies the 
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1 signature of the message, as well as verifying that the message contains its corresponding nonce 

2 (See Kaliski Paragraph 0069 and 0083-0086, particularly 0085), 

3 It would have been obvious to the ordinary person skilled in the art at the time of 

4 invention to employ the teachings of Kaliski in the cUent authentication system of Bartolomeos 

5 by having each server provide a nonce for the client, having the client sign a message containing 

6 the nonces, having the client return the signed message to server 120(1), authenticating the client 

7 using the message, and if authenticated, providing the signed message to each of servers 120(2)- 

8 120(M) which then use the signed message to authenticate the client. This would have been 

9 obvious because the ordinary person skilled in the art would have been motivated to provide a 

1 0 more secure authentication than User ED and Password, and further would have been motivated 

1 1 to ensure that the authentication data is fresh and not a replay of previous authentication data. 

1 2 In this combination, it further would have been obvious to the ordinary person skilled in 

1 3 the art at the time of invention for Server 120(1) to have collected the nonces from Servers 

14 120(2)-120(M) and provided them to the client in a single message as a challenge to the client, 

15 This would have been obvious because Bartolomeos disclosed only server 120(1) requesting 

16 authentication data from the client, and furthermore Bartolomeos is concerned with eliminating 

1 7 ' repetitive, tedious and burdensome tasks, and one of ordinary skill in the art would have 

1 8 recognized that sending an individual nonce message for each of the M servers would have been 

19 repetitive, tedious, and burdensome. Furthermore, sending one message containing all the 

20 nonces to the client would have been obvious because the ordinary person skilled in the art 

21 would have been motivated to eliminate unnecessary traffic through network 1 10. 
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1 Regarding claim 2, the combination of Bartolomeos and Kaliski disclosed that the step of 

2 obtaining a common nonce comprises the step of generating, by an entity other than the client 

3 (1 10(1)) or the plurality of servers (120(2)-120(M)), a common nonce based on information 

4 obtained from each of the plurality of servers (See Kaliski Paragraphs 0083-0086 as well as the 

5 rejection of claim 1 above, wherein server 120(1) generates the message). 

6 Regarding . claim 3, the combination of Bartolomeos and Kaliski disclosed that the step of 

7 generating a common nonce comprises the steps of: obtaining pre-nonce contributions from the 

8 plurality of servers (See Kaliski Paragraphs 0083-0086); combining the pre-nonce contributions 

9 to provide a single pre-nonce token (See Kahski Paragraph 0085 and the rejection of claim 1 

10 above); and providing the common nonce based on the pre-nonce token (See the rejection of 

1 1 claim 1 above). 

12 Regarding claim 5, the combination of Bartolomeos and Kaliski disclosed that the step of 

1 3 combining the pre-nonce contributions to provide a single pre-nonce token comprises 

14 concatenating the pre-nonce contributions (See Kaliski Paragraph 0085 and the rejection of claim 

15 1 above). 

16 Regarding claim 7, the combination of Bartolomeos and Kaliski disclosed that the step of 

1 7 obtaining pre-nonce contributions comprises the steps of requesting a pre-nonce contribution 

18 from each of the plurality of servers and receiving the pre-nonce contributions from the plurality 

19 of servers (See Kaliski Paragraph 0083 and the rejection of claim 1 above). 

20 Regarding claims 8-10, the combination of Bartolomeos and Kaliski disclosed that 

21 requesting a pre-nonce contribution comprises sending authenticated requests to the plurality of 

22 servers (See Kaliski paragraph 0083 and the rejection of claim 1 above); wherein the 
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1 authenticated requests are encrypted, and include a source of the request (wherein it was well 

2 known in the art of information security at the time of invention to use authenticated requests, to 

3 encrypt communications, and to include the source of a message with the message). 

4 Regarding claim 1 1, the combination of Bartolomeos and Kaliski disclosed that the pre- 

5 nonce contributions include at least one of an identification of a server of the plurality of servers 

6 and a random number (See Kaliski Paragraphs 0083-0086). 

7 Regarding claim 14, the combination of Bartolomeos and Kaliski disclosed receiving a 

8 transaction identification from a trusted server of the plurality of servers and associating the 

9 transaction identification with the common nonce (See Kaliski Paragraph 0085 and the rejection 

10 of claim 1 above). 

1 1 Regarding claim 15, the combination of Bartolomeos and Kaliski disclosed tracking use 

1 2 of the common nonce based on the transaction identification (See Kaliski Paragraph 0085 and 

13 the rejection of claim 1 above). 

14 Regarding claim 29, the combination of Bartolomeos and Kaliski disclosed that the 

1 5 common nonce is provided by a trusted third party (See the rejection of claim 28 above, wherein 

16 the common nonce is provided by the server 120(1)). 

1 7 Regarding claim 30, the combination of Bartolomeos and Kaliski disclosed that the 

1 8 common nonce is generated by an entity other than the client or the plurality of servers based on 

19 information provided by each of the plurality of servers (See the rejection of claim 28 above). 

20 Claims 4, 6, 12-13 and 20 are rejected under 35 U.S.C. 103(a) as being unpatentable over 

21 the combination of Bartolomeos and Kaliski as applied to claim 3 above, and further in view of 

22 Schneier (Applied Cryptography). 
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1 Regarding claim 4, the combination of Bartolomeos and Kaliski disclosed providing a 

2 common nonce (See Kaliski Paragraph 0085 and the rejection of claim 1 above), but failed to 

3 disclose reducing the nonce challenges to provide the common nonce. However, the 

4 combination of Bartolomeos and Kaliski did disclose digitally signing a message containing the 

5 nonce challenges (See the rejection of claim 1 above). 

6 Schneier teaches that when digitally signing a message, it is practical to hash the message 

7 and encrypt the hash, with a private key, as the signature, rather than encrypting the whole 

8 message (See Schneier Page 38 Section Signing Documents with Public-Key Cryptography and 

9 One- Way Hash Functions). Schneier also teaches that in such a system, to verify the signature, 

10 the verifier hashes the message, decrypts the signed hash with the signers public key, and verifies 

1 1 that the two hashes are the same (See Schneier Page 38 Section Signing Documents with Public- 

12 Key Cryptography and One- Way Hash Functions). 

13 It would have been obvious to the ordinary person skilled in the art at the time of 

14 invention to employ the teachings of Schneier in the digital signatures of the combination of 

1 5 Bartolomeos and Kaliski by providing a hash of the nonce message instead of the whole nonce 

1 6 message for signing. This would have been obvious because the ordinary person skilled in the 

1 7 art would have been motivated to increase the speed of the signing method, as well as reduce the 

1 8 amount of data needing to be transmitted to the client. 

19 Regarding claim 6, the combination of Bartolomeos, Kaliski, and Schneier disclosed that 

20 the step of reducing the pre-nonce token to provide the common nonce comprises the step of 

21 hashing the pre-nonce token utilizing a one-way hash function so as to provide the common 

22 nonce (See the rejection of claim 4 above). 
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1 Regarding claim 20, the combination of Bartolomeos, Kaliski, and Schneier disclosed 

2 that at least one of the plurality of servers carries out the steps of: receiving the signed common 

3 nonce, the common nonce and the pre-nonce token; hashing the received pre-nonce token; 

4 comparing the hashed pre-nonce token to the common nonce; indicating that the client is not 

5 authenticated if the hashed pre-nonce token is different from the common nonce (See Kaliski 

6 Paragraph 0085 and Schneier Page 38 Section Signing Documents with Public-Key 

7 Cryptography and One- Way Hash Functions). 

8 Regarding claims 12-13, the combination of Bartolomeos and Kaliski disclosed the chent 

9 checking the nonce challenge from the server for requisite strength, and aborting the 

1 0 authentication process if the nonce challenge did not meet the requisite strength (See Kaliski 

1 1 Paragraph 0084), but failed to disclose that this check included checking the signature of the 

1 2 nonce challenge to verify that it was signed by the server. 

13 Schneier teaches that digital signatures provide a means for verifying the sender of a 

14 message (See Schneier Page 37 Signing Documents with Public Key Cryptography). 

1 5 It would have been obvious to the ordinary person skilled in the art at the time of 

1 6 invention to employ the teachings of Schneier in the nonce challenge system of Bartolomeos and 

17 Kaliski by having the servers 120(2)-120(M) sign the challenges and having the server 120(1) 

1 8 verify the signature of the challenges before using the challenges. This would have been obvious 

19 because the ordinary person skilled in the art would have been motivated to protect against illicit 

20 alteration of the challenge nonce. 
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1 Claims 16-19, and 21-22 are rejected under 35 U.S.C. 103(a) as being unpatentable over 

2 the combination of Bartolomeos and Kaliski as applied to claim 3 above, and further in view of 

3 Menezes et al. (Handbook of Applied Cryptography). 

4 Regarding claim 21, the combination of Bartolomeos and Kaliski disclosed the server 

5 receiving the nonce challenges, and authenticating the client based on whether the nonce 

6 challenges included the nonce challenge of the server (See Kaliski Paragraph 0085), but failed to 

7 disclose that the nonce challenges included random numbers. 

8 Menezes teaches that nonce challenges can be random numbers (See Menezes Page 398). 

9 It would have been obvious to the ordinary person skilled in the art at the time of 

10 invention to employ the teachings of Menezes in the nonce challenge system of the combination 

1 1 of Bartolomeos and Kaliski by having the nonce challenges be random numbers. This would 

1 2 have been obvious because the ordinary person skilled in the art would have been motivated to 

13 provide uniqueness and timeliness assurances in the system in order to avoid replay and 

1 4 interleaving attacks. 

15 Regarding claims 16-17, and 22 the combination of Bartolomeos and Kaliski disclosed a 

16 plurality of servers providing nonce challenges to a chent in order to authenticate the client, and 

1 7 verifying the nonce in the response to the challenge (See Kaliski Paragraphs 0083-0085) but 

1 8 failed to disclose giving the nonce an expiration time and further authenticating the client based 

1 9 on the expiration time. 

20 Menezes teaches that when using nonce challenges the challenger should apply a timeout 

21 period to the nonce and not authenticate the client if the response is received after the timeout 

22 period has expired (See Menezes Page 398 Section (i). 
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1 It would have been obvious to the ordinary person skilled in the art at the time of 

2 invention to employ the teachings of Menezes in the nonce challenge system of the combination 

3 of Bartolomeos and Kaliski by applying and checking a timeout period to the nonce when 

4 authenticating a client. This would have been obvious because the ordinary person skilled in the 

5 art would have been motivated to provide protection against replay and interleaving attacks, 

6 Regarding claims 18-19, the combination of Bartolomeos and Kaliski disclosed using a 

7 users public key to verify the signature of the nonce message by verifying that the signature 

8 corresponded to the signature of the clients private/public key pair (See Kaliski Paragraph 0085), 

9 but failed to disclose that the verifying server got the public key from a public key certificate and 

10 also failed to disclose that the authentication would fail if the certificate was not trusted. 

1 1 Menezes teaches that public key certificates are a means to store, distribute, and forward 

1 2 public keys without danger of undetectable manipulation. Menezes also teaches that when using 

13 a certificate for authentication, the certificate is received, the expiration date is checked, the 

14 certification authority validity is checked, the signature of the certificate is checked, and the 

1 5 certificate is checked to see if it has been revoked, and if these checks pass then the public key is 

1 6 valid (See Menezes Pages 559-560). 

17 It would have been obvious to the ordinary person skilled in the art at the time of 

18 invention to employ the teachings of Menezes in the authentication system of the combination of 

19 Bartolomeos and Kaliski by obtaining the public key from a public key certificate and verifying 

20 that the certificate is valid in order to use the public key to authenticate the client. This would 

21 have been obvious because the ordinary person skilled in the art would have been motivated to 

22 protect against undetected manipulation of the public key. 
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1 Claim 23 is rejected under 35 U.S.C. 103(a) as being unpatentable over the combination 

2 of Bartolomeos and Kaliski as applied to claim 1 above, and further in view of Day (US Patent 

3 Number 6,052,784). 

4 The combination of Bartolomeos and Kahski disclosed a challenge nonce system (See 

5 Kaliski Paragraphs 0083-0086) but failed to disclose the nonce being received from a trusted 

6 third party and verifying the signature of the trusted third party. 

7 Day teaches that a nonce can be signed by a trusted third party in order to authenticate the 

8 nonce (See Day Col. 3 Paragraph 5). 

9 It would have been obvious to the ordinary person skilled in the art at the time of 

1 0 invention to employ the teachings of Day in the nonce challenge system of the combination of 

1 1 Bartolomeos and Kaliski by having the nonce challenges signed by a certification authority prior 

1 2 to sending the challenge to the client, and verifying the signature on the nonce. This would have 

13 been obvious because the ordinary person skilled in the art would have been motivated to 

14 prevent the nonce from being illicitly undetectably modified prior to the chent receiving the 

15 nonce challenge. 

16 Claims 24-25 are rejected under 35 U.S.C. 103(a) as being unpatentable over the 

17 combination of Bartolomeos, Kaliski, and Day as applied to claim 23 above, and further in view 

18 ofMenezes, 

19 The combination of Bartolomeos, Kaliski, and Day disclosed using a users public key to 

20 verify the signature of the nonce message by verifying that the signature corresponded to the 

21 signature of the clients private/public key pair (See Kaliski Paragraph 0085), but failed to 
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1 disclose that the verifying server got the public key from a public key certificate and also failed 

2 to disclose that the authentication would fail if the certificate was not trusted. 

3 Menezes teaches that public key certificates are a means to store, distribute, and forward 

4 public keys without danger of undetectable manipulation, Menezes also teaches that when using 

5 a certificate for authentication, the certificate is received, the expiration date is checked, the 

6 certification authority validity is checked, the signature of the certificate is checked, and the 

7 certificate is checked to see if it has been revoked, and if these checks pass then the public key is 

8 valid (See Menezes Pages 559-560). 

9 It would have been obvious to the ordinary person skilled in the art at the time of 

10 invention to employ the teachings of Menezes in the authentication system of the combination of 

1 1 Bartolomeos, Kaliski, and Day by obtaining the public key from a public key certificate and 

12 verifying that the certificate is valid in order to use the public key to authenticate the client. This 

13 would have been obvious because the ordinary person skilled in the art would have been 

14 motivated to protect against undetected manipulation of the public key, 

1 5 Conclusion 

16 Claims 1-32 have been rejected. 

1 7 A shortened statutory period for reply to this final action is set to expire THREE 

1 8 MONTHS from the mailing date of this action. In the event a first reply is filed within TWO 

19 MONTHS of the mailing date of this final action and the advisory action is not mailed until after 

20 the end of the THREE-MONTH shortened statutory period, then the shortened statutory period 

21 will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 

22 CFR 1 . 136(a) will be calculated from the mailing date of the advisory action. In no event. 
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however, will the statutory period for reply expire later than SIX MONTHS from the date of this 



2 



final action. 



3 



Any inquiry concerning this communication or earlier communications from the 



4 examiner should be directed to Matthew T. Henning whose telephone number is (571) 272-3790. 
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8 organization where this application or proceeding is assigned is 571-273-8300. 
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